Why businesses should care about the macOS exploit

Author

Published

Share it

Dive Brief:

Macs running operating systems with the IOHIDFamily have a serious security vulnerability, which potentially extends to devices going as far back as 2002, according to a report published by a self-proclaimed "hobbyist hacker" going by the pseudonym Siguza.

Siguza published the "IOHIDeous" report on the last day of 2017 and did not give advance warning to Apple, so the company does not yet have a fix, according to a Bleeping Computer report.

The vulnerability allows hackers with local access or a previous foothold on a device to obtain root access when the device is shut down, rebooted or logged off, reports Bleeping Computer. Local privilege escalation flaws are noncritical, so Apple may wait until its routine monthly security update to fix the problem.

My primary goal was to get the write-up out for people to read. I wouldn't sell to blackhats because I don't wanna help their cause. I would've submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable.

Dive Insight:

As of December, OS X had a desktop OS market share of almost 22%, according to StatCounter. And while macOS takes second place to Windows in the desktop sphere, 2017 alone saw the sale of more than 19.25 million Macs, reports Statista.

In other words, there are a lot of Macs in the market, and this vulnerability went without notice or disclosure for at least 15 years. To put that in perspective, Facebook wasn't even founded until 2004 — at least two years after the IOHIDFamily flaw arose.

Many devices already run on outdated software. For example, as of November almost half of the two billion active Android devices were out of date, with the most recent Android OS release accounting for less than 1% of the overall Android market.

But the macOS exploit is an important reminder that even the most up-to-date system is sometimes not good enough. No matter how long a software component may be in use, it can just take one savvy hacker to bring it down.

In the meantime, comprehensive bug bounty programs can save companies a lot of trouble. Just ask the Air Force.